Demand for a more secure network switching infrastructure has increased with the proliferation of mobile and/or untethered computing devices (such as supervisory control and data access (SCADA) systems, industrial control systems, transportation systems, smartphones, tablet computers, set-top boxes, and hotspot devices). Applications and web browsers running on such devices and over such an infrastructure may be susceptible to attacks by malicious agents at a resource level, or at a resource flow level (such as eavesdropping, key loggers, worms, viruses, Trojan horses, or spoofing attacks). While security experts have developed increasingly complex means of securing traffic flow (such as networking protocols, encryption tunnels, and key generation and authentication systems), the challenge remains to secure a transaction from its origination on a client device to its destination behind a switch, while enabling a non-repudiation of the transaction.
Solutions and software systems implementing a public key infrastructure (PKI) may rely on a transmission of a private key to secure transactions in a network. These software systems may require physical access to a certificate authority to store public keys and issue digital certificates. However this physical access may not be suitable for mobile devices on a wide area network (WAN). More problematic are network security switches and routers that adopt a blacklist approach to prevent malicious agents from connecting to a network and compromising the security of the network. Such a blacklist may implement a draconian set of rules or regular expressions to locate and filter out malicious traffic. To circumvent this, a malicious agent installed on an infected client device may simply change a single bit to evade the most sophisticated traffic management and malware detection mechanism.
Some systems may implement a trusted platform module (TPM) to facilitate the use of keys and the establishment of secure channels. However, these secure communications between devices may often be manipulated by malicious agents to gain access or to set up tunnels to a backend enterprise. Furthermore, security protocols utilized by these systems, such as transport layer security (TLS), secure sockets layer (SSL), or internet protocol security (IPsec), may not scale in network address translation (NAT) networks where proxies and reverse proxies may need to be set up to carry traffic on a mobile network. Furthermore, security protocols utilized by these systems may not be able to validate a user on a specific client device because the client device may not have been issued an identity from a PKI due to complexities in enrollment and maintenance of the identity. In that case, a malicious agent in possession of a user's log on credentials may use the credentials to access any resource from any device regardless of other protections afforded by the device and the network. Also, a malicious agent having remote control of a client device may be able to compromise the integrity of the device and the network and perform malicious actions that may also compromise the ability to perform non-repudiation of a transaction in near real time.